Botnet Recall of Things

After a tough summer of botnet attacks by Internet-of-Things things came to a head last week and took down many popular websites for folks in the eastern US, more attention has finally been paid to what to do about this mess. We’ve wracked our brains, and the best we can come up with is that it’s the manufacturers’ responsibility to secure their devices.

Chinese DVR manufacturer Xiongmai, predictably, thinks that the end-user is to blame, but is also consenting to a recall of up to 300 million 4.3 million of their pre-2015 vintage cameras — the ones with hard-coded factory default passwords. (You can cut/paste the text into a translator and have a few laughs, or just take our word for it. The company’s name gets mis-translated frequently throughout as “male” or “masculine”, if that helps.)

Xiongmai’s claim is that their devices were never meant to be exposed to the real Internet, but rather were designed to be used exclusively behind firewalls. That’s apparently the reason for the firmware-coded administrator passwords. (Sigh!) Anyone actually making their Internet of Things thing reachable from the broader network is, according to Xiongmai, being irresponsible. They then go on to accuse a tech website of slander, and produce a friendly ruling from a local court supporting this claim.

Whatever. We understand that Xiongmai has to protect its business, and doesn’t want to admit liability. And in the end, they’re doing the right thing by recalling their devices with hard-coded passwords, so we’ll cut them some slack. Is the threat of massive economic damage from a recall of insecure hardware going to be the driver for manufacturers to be more security conscious? (We kinda hope so.)

Meanwhile, if you can’t get enough botnets, here is a trio of recent articles (one, two, and three) that are all relevant to this device recall.

Post navigation

33 thoughts on “Botnet Recall of Things”

Xiongmai
Like many other dodgy Chinese Companys making cheap tech/security devices they always blame others for issues they created and then attempt take down notices when their security flaws are pointed out, There’s was a Lock no longer sold it used a special key disc it was opened with a coat hanger and a screw driver fairly quickly the manufacturer had a Melt down on youtube.

I have seen many non chinese companies do the same. I think the 300 million people that bought these devices without thinking how or why it’s cheap and put them in their living room and connect it to the internet is also to blame.

These people aren’t going to pay any attention to this recall. How many cameras do you think are going to be sent back at this point? 1,000?

Apathy is the big problem here… anything that requires a firmware update is almost impossible to get consumers to pay attention and perform the work. Anything that requires changing a password will be extremely hard to get consumers to act. Botnets are almost an unsolvable problem once the shoddy hardware has proliferated.

So, Apple (and later anything with an app Store, like Google, Amazon, Apple, etc) has made great strides in making sure updates get installed by having all software updates go through one unified Software Update stream. App stores will routinely tell you “ok six updates are ready” regardless of what it is being updated, disparate developers behind them, etc etc.

Still, things get left behind. Have you tried tracking down firmware updates for your HDD? Lot of people don’t even know you can do that. I wonder if there is any possibility of success for an even grander Everything Update system, where you can update any DEVICE or component, not just the software that runs on it.

I mean in the sense that Apple Update can manage non-Apple products. Windows may do it now, but it didn’t before, which is how they ended up having Microsoft Update, Java Update, MS Office Update, Dell Update, … all running at startup or whatever.

This is interesting and probably highlights an issue with Google translate. I clicked on the link that was provided in the article above, and then clicked translate in Chrome and I read, “mainly for one million cards network cameras, one million cloud network camera (shaking his head), 1,000,000 panoramic network camera, 1.3 million network cameras make panoramic recall process, while increasing forced to change the default password features to minimize security risks.” This is the 4.3 million that [Alex Hornstein] was talking about.

You should always change the default password as it’s there just to let you get into the device after a factory reset.
Though maybe they should bring back serial ports for recovery vs only being able to configure it over the network.
All they need to do it add a USB connector and a prolific USB to serial chip to the uart that’s probably already on the chipset and there you go a serial console.
Need to recover it just plug a laptop into it and you can choose to make it where you cannot even reconfigure it over the net if you’re paranoid.
Probably less than 50 cents a device.
I also wonder how much trouble could be avoided by being able to make the firmware part of the flash read only except for when there is an update.

It’s a google translation problem. If you read the original chinese, it says (paraphrasing due to my crappy chinese) “100万” of the network card cameras, “100万” of the cloud cameras, “100万” of the panoramic network cameras, and “130万” of the panoramic cameras.

If you just type “万“ into google translate as a standalone character, google incorrectly interprets it as “million”. It’s weird, because the first translation result in google translate is the correct number, ten thousand. (https://cl.ly/3p0c103R1E0X).

Bizarrely, I read the page originally using the google translate chrome plugin, which translates it correctly (https://cl.ly/3e3Y1f2N3201), but copy-pasting it into google translate gives the incorrect translation of 万 as “million”, rather than 10,000.

Also, back-o-ye-enveloppe thinking shows it to be unlikely. There are ~318 million people in the US, the market affected by this recall, and I know at least one other person who doesn’t have a xiongmai network camera, panoramic or otherwise.

Good luck with that. And I might go as far as stating that they *knew* better, but in the cut-throat business of consumer electronics, there’s no such thing as “doing the right thing” when the expedient gets you to market faster and cheaper.

“Is the massive economic damage that a recall of insecure hardware going to be the driver for a change to more security consciousness on the part of manufacturers?” seems like it was cobbled together from three different sentences…

Although manufacturers can be expected to provide reasonably secure devices, it will never be possible to ensure that all manufacturers of the (eventuallly) billions of IOT devices will be properly securing their devices. While it is reasonable to expect users to change the passwords (when they are not hard coded) that should either be “forced” in order to activate the device or unique passwords should be supplied. It needs a sort of internet UL for IOT devices to encourage this.

In the end it will be up to end users and ISPs to prevent bot takeover. I expect to see intelligent security devices/routers becoming available that can monitor your internet activity and let you (and maybe the ISP) know if any of your devices are acting incorrectly so that you can take them offline or fix them. The issues may be bots or viruses or just plain device failure. Of course, there will need to be some cost to end users and ISPs if issues are not fixed to incent everyone to take action. The “smart/deep learning” routers could automatically filter (with user override), making it easier for end users. The key is that end users should be deciding what is and isn’t OK as otherwise ISPs could impose censorship under the disguise of DDNS prevention.

it is meant to be connected to a second router that is connected to a network DVR on a second ethernnet cable with no internet access whatsoever. the ONLY device that can bridge the two networks MUST be a computer that has ANY AND ALL ACCESS BY NORMAL EMPLOYEES BARRED WITH LOCK AND KEY, or to be 100% secure, a second 100$ computer JUST for viewing the DVR’s content, as they are usually headless. this is to prevent access to facebook ect, where all it takes is a targeted friend REQUEST and your screwed, do not have to accept, just log in and your infected.

although a picture can speak a thousand words, an infected (non-bitmap) picture can speak nearly unlimited words

The problem with this is that the average consumer now doesn’t even realize that wifi, ISP, cable modem, router etc are different things. You seen ’em on facebook etc. “OMG I need new wifi, this one charged me for overage…” etc